Skip to main content

Security Policy

Last updated: 2026-06-04

This Security Policy describes how Sparxsys Solutions Limited ("we", "us") designs, builds, and maintains the QR Code for Jira app to protect your data and systems.

Our Security Commitment

QR Code for Jira is built on Atlassian Forge, Atlassian's serverless runtime. This means:

  • We operate no servers, data centres, or network infrastructure of our own.
  • All compute, storage, and infrastructure security is provided and maintained by Atlassian (ISO 27001 / SOC 2 certified).
  • Our responsibility is limited to the application code itself.

Architecture & Data Handling

PropertyDetail
RuntimeAtlassian Forge (serverless, nodejs22.x)
Data egressNone — all API calls stay within Atlassian
External servicesNone — no third-party services contacted
Personal data storedNone — no PII is collected or retained
QR code generationClient-side only using the open-source qrcode npm library

The only data the app writes to persistent storage is an admin-configured list of enabled project IDs, keys, and names in Atlassian's @forge/kvs. This is app configuration data, not user data.

Principle of Least Privilege

The app requests the minimum Jira permissions required for its function — all read-only:

  • read:project:jira
  • read:board-scope:jira-software
  • read:issue-details:jira
  • read:filter:jira
  • read:jira-work
  • read:jira-user
  • storage:app

No write or administrative scopes are requested.

Authentication & Access Control

  • All user-facing Jira API calls use asUser() — requests are made under the permissions of the currently authenticated Jira user, not elevated app credentials.
  • The app never uses asApp() for actions that affect user data.
  • User authentication and identity management is handled entirely by Atlassian.

Secure Development Lifecycle

  • All code changes go through peer review via pull request before merging.
  • A CI/CD pipeline (Bitbucket Pipelines) runs the full automated test suite on every commit.
  • Backend test coverage is enforced at ≥ 95%; frontend at ≥ 90%.
  • npm audit runs on every build; Critical and High severity findings block releases.
  • Third-party dependencies are monitored for vulnerabilities and updated regularly.

Input Validation & Injection Prevention

  • All user-supplied search queries passed to Jira REST APIs are URL-encoded via encodeURIComponent.
  • Atlassian Forge's route tagged template literal provides additional injection protection for all API calls.
  • The React frontend renders all values through JSX (no dangerouslySetInnerHTML), preventing XSS.
  • No SQL, shell commands, or dynamic code evaluation is used anywhere in the app.

Logging

  • The app logs errors only (console.error on caught exceptions).
  • No user data, issue content, project names, access tokens, or personally identifiable information is written to logs.
  • Forge platform-level logs are retained and managed by Atlassian.

Cryptography & Encryption

  • All data in transit uses TLS (enforced by Atlassian Forge — no plain HTTP is possible).
  • Data at rest in Forge KVS is encrypted by Atlassian's infrastructure.
  • The app does not implement any custom cryptography or manage encryption keys.

Vulnerability Management

  • Dependency vulnerabilities are identified using npm audit on every CI build.
  • Severity triage follows CVSS scoring:
    • Critical / High — patched and released as an emergency fix.
    • Medium / Low — addressed in the next regular release cycle.
  • Customers are notified of security fixes via the Atlassian Marketplace release notes.

Incident Response

In the event of a security incident or discovered vulnerability:

  1. The incident is assessed and triaged within 48 hours.
  2. Atlassian is notified via ecosystem.atlassian.net.
  3. Affected customers are notified using Atlassian's Security Incident Communication Template.
  4. A patched version is released as quickly as possible.
  5. A post-incident review is conducted for Critical severity events.

We follow Atlassian's Marketplace Security Bug Fix Policy.

Supply Chain

Our primary dependency is the Atlassian Forge platform. Application-layer dependencies are standard npm packages (React, qrcode, Forge SDK). All dependencies are tracked in package-lock.json and audited on every build.

Responsible Disclosure

If you discover a security vulnerability in QR Code for Jira, please report it responsibly:

Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and release a fix. We aim to acknowledge all reports within 48 hours.

Compliance

FrameworkStatus
Atlassian Marketplace Security RequirementsCompliant
GDPR (data minimisation, no PII stored)Compliant
Atlassian Forge Security ModelCompliant
CAIQ Lite v4 (CSA)See CAIQ responses

Contact

For security enquiries, contact us at security@sparxsys.com.

For general support, visit the Atlassian Marketplace listing or open a support ticket.